The Internet and the World Wide Web (“Web”) have changed the landscape of information delivery and affected numerous aspects of life, including commerce. One benefit of this technological development is the ability to conduct business transactions globally via the Internet. As the volume of commerce conducted over the network continues to increase, collections of business units or organizations are working together to pool resources and expertise in order to achieve a common business objective. Organizations are sharing services and resources across enterprise boundaries in order to undertake collaborative projects that their participants could not undertake individually, or to offer composed services that could not be provided by individual organizations.
In this collaborative environment, a buyer often uses strategic sourcing process to find qualified sources to fulfill supply needs, negotiate agreements, manage contracts and evaluate seller qualifications. Often, the number of sellers available in the virtual world overwhelms the buyer, especially since the ability to verify and authenticate the identity and qualifications of the seller remains limited.
Moreover, security and trust, which form the core of any business transaction, are difficult to establish in the virtual world. Trust in a real world transaction is often provided through a physical meeting, reputation, recommendations or prior knowledge. In an electronic commerce environment, most business transactions occur between strangers that do not share a common security domain.
Some of the common online security issues include data eavesdropping, data tampering and entity repudiation. Often, credit card, social security and financial account numbers are stolen through data eavesdropping, whereby data remains intact but privacy is compromised. In a data-tampering event, the data is altered or replaced in a transaction. For example, someone can change the amount to be transferred to and from a bank account. In entity repudiation, the identity of the user is compromised. Often, data is passed to a person who poses as the intended recipient.
Many security and trust management technologies have been developed to meet the increasing demand for secure business transactions. One common security approach includes using the Public Key Infrastructure (PKI), which is the standard for public-key cryptographic security and is used to ensure the security of digital certificates. PKI infrastructure provides these security measures—user authentication, data integrity and confidentiality. With the PKI infrastructure, a pair of keys is used to provide strong authentication and encryption services. The key pair is associated with a user by the use of a certificate containing the user's public key and attributes associated with the user. Often, the certificate is digitally signed by a trusted third party, such as the Certification Authority (CA), and is valid only for a certain period of time. The public key associated with and certified by the certificate works with the corresponding private key possessed by the entity identified by the certificate. For example, to send data to an intended recipient, a sender first encrypts the data with the recipient's public key. Upon receiving the data, the recipient decrypts it with the corresponding private key. The PKI infrastructure is able to verify the identities of the participants through the certificate and maintain data integrity with the encryption technology.